Cisco ISE Deployment

Cisco ISE Deployment for NAC solution.
I would like to understand how this can be deployed for 2 Data center.
Data center 1 will be the primary & the Data center 2 will be the secondary.
All my sites will be getting connected to both of my Primary & Backup DC.
For my NAC solution I need to install the necessary Cisco ISE components in my both Production & Backup DC.
So in this case would like to understand how the fail over & the redundancy works for the Cisco ISE between the DC for my NAC solution.

If any one has any details or documents kindly share.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
Some good references

Setting Up Cisco ISE in a Distributed Environment

Cisco TrustSec How-To Guide: ISE Deployment Types and Guidelines
In midsize to large enterprise deployments, ISE functions can be divided into several dedicated service nodes called “personas.” E.g. “Policy Administration Node (PAN)”,  “Policy Service Node (PSN)”,  “Monitoring Node (MNT)” and “Inline Posture Node (IPN)”. The main goal of dividing into dedicated service nodes is to distribute the load and traffic caused by authentication services, and to avoid points of failure by centralizing service in one appliance.

Check out
- Basic 2-Node (Redundant) Deployment: Up to 2,000 Endpoints. (SMB) When ISE appliances form redundancy, you can configure them to serve as primary and secondary nodes for administration and monitoring services. Having a single primary administration node and multiple secondary nodes is sometime referred as an ISE distributed deployment.

- Distributed Deployment: 2,000 to 10,000 Endpoints. (detaching the PSN from the PAN or MNT s) In this type of distributed deployment, we recommend two sets of Cisco ISE nodes for admin and monitoring functions and up to five PSNs. If you have more than two PSNs in single location, you can cluster those PSNs behind a load-balancing device (such as a Cisco Application Control Engine) for better performance. Additionally, other network access devices (NADs), such as ones in the second campus network, can point to the headquarter PSN as a secondary RADIUS server for high-availability purposes.

- Distributed Deployment: Up to 100,000 Endpoints (Maximum). ( separated to dedicated appliances ). ISE supports up to two dedicated PANs and two dedicated MNTs. Each dedicated appliance can serve as primary and secondary node to maintain resiliency in case of service failure. When these nodes are separated on dedicated appliances, the number of supported PSNs also increases. With 2x PANs and 2x MNTs, ISE supports up to 40 PSNs, supporting 100,000 endpoints concurrently.  If your company has a single data center, primary and secondary PANs and MNTs can be connected in different segments. With multiple data centers, it is more common to separate those personas in each data center location for disaster recovery (DR) purposes. Of course, the personas communicate with each other to synchronize endpoint data, session information and state, and configuration changes. With distributed personas, it is important to understand the types of communication between nodes to prevent a node from going out of sync.

A distributed deployment design needs to support all the required communication protocols between personas. For instance, PAN and PSN communicate to replicate and synchronize policy and configurations. Those two appliances use HTTPS (TCP/443) and Oracle DB Listener and AQ (TCP/1521) to perform replication and synchronization. ICMP is also used to perform a heartbeat between the PAN and PSN
Craig BeckCommented:
Simply put, failover just happens.  You list both ISE boxes in the NAC client if they're running the PSN persona.
SrikantRajeevAuthor Commented:
For this from the switch perspective should i configure both the ISE IP Address as active standby.
So in case if my primary site is down will it point to the secondary site IP Address.
Is it recommended to have the redundancy at local site or is it sufficient to have redundancy at site level across 2 DC.
Top Threats of Q1 & How to Defend Against Them

WEBINAR: Join WatchGuard CTO and our Threat Research Team on Aug. 2nd to hear the findings from our Q1 Internet Security Report! Learn more about the top threats detected in the first quarter and how you can defend your business against them!

Craig BeckCommented:
Yes, configure both on the switch, but remember to include both in any ACLs you have configured.

Redundancy scenarios depend on how your network is designed and how much redundancy you want.  It's quite common for ISE servers to be distributed across L3 boundaries in separate DCs for example.
btanExec ConsultantCommented:
Agree with Craigbeck, that is the normal for HA. And clustering with heartbeat is the normal as well. Even applicable during upgrade of switches to ensure alternate route are always make available.

Also at least one node in your distributed setup should assume the Monitoring persona. We recommend that you not have the Monitoring and Policy Service personas enabled on the same Cisco ISE node. You may want to consider the node be dedicated solely to monitoring for optimum performance. Others for redundancy
a) there must be at least one Monitoring ISE node in a distributed deployment. At the time of configuring your primary Administration ISE node, you must enable the Monitoring persona. After you have registered a secondary Monitoring ISE node in your deployment, you can edit the primary Administration ISE node and disable the Monitoring persona, if required.
b) When you register an ISE node as a secondary node, Cisco ISE immediately creates a database link from the primary to the secondary node and begins the process of replication. Replication is the process of sharing ISE configuration data from the primary to the secondary nodes. Replication ensures consistency among the configuration data present in all the ISE nodes that are part of your deployment.

If I may extract below for info
Guidelines for Setting Up a Distributed Deployment
Read the following statements carefully before you set up Cisco ISE in a distributed environment:
•There are two types of nodes in a Cisco ISE distributed deployment: the ISE node and the Inline Posture node. An ISE node can assume the Administration, Policy Service, and Monitoring personas at the same time. An ISE node can be a primary, secondary, or standalone node.

•The Administration, Policy Service, and Monitoring personas will be enabled by default in a standalone ISE node.

•You must first configure a primary Administration ISE node and then register secondary nodes to set up a distributed deployment.

•There can be only one primary ISE node in a distributed deployment and it must assume the Administration persona. You can have a maximum of two ISE nodes that assume the Administration persona, one being your primary and the other a secondary node.

•All Cisco ISE system-related configuration and configuration related to functionality should be done only on the primary Administration ISE node. The configuration changes that you perform on the primary Administration ISE node is replicated to all the secondary nodes in your deployment.

•When the primary Administration ISE node goes down, you must log into the user interface of the secondary Administration ISE node and make it the primary node.

•The Inline Posture node requires a dedicated node. No other persona or service can run on a node that is designated as an Inline Posture node.

•A properly configured Domain Name System (DNS) server is required for a distributed deployment to work correctly. You must enter the IP addresses and fully qualified domain names (FQDNs) of the ISE nodes that are part of your distributed deployment in the DNS server.

•If you want to uninstall Cisco ISE from a secondary node, you must first deregister it from the primary Administration ISE node. You can then reimage the standalone node and reregister it with the primary Administration ISE node.
SrikantRajeevAuthor Commented:
Does ISE supports for the 802.1x MAC authentication for the PC's which are connecting to the Wired & Wireless network.
I want the PC's to authenticated based on their MAC Address using the ISE.
Let me know if this is possible.
btanExec ConsultantCommented:
My understanding it is possible using MAC via the MAB (MAC Authentication Bypass)
If a device (endpoint) does not support 802.1x, MAC address authentication can be used, based on the MAC address of the device. Offcourse, it is less secure because of MAC address spoofing. Hashing and encryption is not really needed because username and password are both the MAC address. EAP-MD5 or PAP is not always necessary.

the normal MAB scheme uses 4 phases during operations of the endpoint:
Phase 1: initation, this will timeout because there is no 802.1x response
Phase 2: MAC learning, the NAD will check the MAC address with ISE after the endpoint sends the first packet
Phase 3: Authorization, ISE can push some DACL or other authorization objects like VLANs
Phase 4: Accounting
Craig BeckCommented:
I just answered your other question, but I'll repeat here...

MAB is available in ISE.  There is already a policy in ISE to do wireless and wired MAB so you just configure your switches for 802.1x and MAB then add the MAC addresses to the internal endpoints database.
btanExec ConsultantCommented:
To add if you catch these extracted steps for ref
Step 8      Enable various authentication method options:

! Enable re-authentication
authentication periodic
! Enable re-authentication via RADIUS Session-Timeout
authentication timer reauthenticate server
authentication event fail action next-method
authentication event server dead action authorize <VLAN_number>
authentication event server alive action reinitialize
! IOS Flex-Auth authentication should do 802.1X then MAB
authentication order dot1x mab
authentication priority dot1x mab
Step 9      Enable 802.1X port control on the switchport:

! Enables port-based authentication on the interface
authentication port-control auto
authentication violation restrict
Step 10      Enable MAC Authentication Bypass (MAB):

! Enable MAC Authentication Bypass (MAB)
Step 11      Enable 802.1X on the switchport

! Enables 802.1X authentication on the interface
dot1x pae authenticator
Step 12      Set the retransmit period to 10 seconds:

dot1x timeout tx-period 10

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
SrikantRajeevAuthor Commented:
checking this out.
SrikantRajeevAuthor Commented:
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking Hardware-Other

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.